Computer forensics is the application of computer investigation and analysis techniques to identify and capture potential legal evidence stored or otherwise maintained within a computing device. The evidence might be sought during an investigation for a wide range of potential computer crimes or misuse, including theft of trade secrets, theft of service, theft of or destruction of intellectual property, fraud, hacking, and other criminal or misuse activities. The evidence might also be sought during an investigation of non-computer related crimes or misuse where the computing device may store evidence for the non-computer related crime or misuse. For example, the computing device of a suspect may store computer evidence, such as e-mails or ransom notes, which tie the suspect to a kidnapping. Unlike paper evidence, computer evidence can exist in many forms, with earlier versions and even some deleted versions of the evidence still accessible on a storage medium. Forms of computer evidence may include, for example, system log files, executing processes, stored files and the like.
An investigator may draw on an array of methods to discover and capture evidence from a computer device. One common method for obtaining computer evidence is on-site inspections or seizure of the computer. For example, the investigator may physically connect an analysis device to the target computer or load analysis software on the target computing device to acquire and analyze the computer evidence. As another example, the investigator may physically remove the target computer from its location, and analyze the target computer in the investigator's lab. However, when these discovery techniques are used on computers critical to a network, e.g., servers, the investigation may become burdensome on the network users. Moreover, it is often desired to collect evidence from a computer over time without being detected by a perpetrator of the crime, which can be difficult with many of these invasive techniques. Furthermore, in some cases, it may be possible for volatile computer evidence to be lost, e.g., computer evidence stored in volatile memory may be deleted, when the target computer is turned off.